Skip to content

build(deps): bump node-forge from 1.2.1 to 1.3.1 in /src/WebApps/pfr-app/pfr-app#252

Merged
live-dev999 merged 34 commits intodevfrom
dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/node-forge-1.3.1
Apr 2, 2022
Merged

build(deps): bump node-forge from 1.2.1 to 1.3.1 in /src/WebApps/pfr-app/pfr-app#252
live-dev999 merged 34 commits intodevfrom
dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/node-forge-1.3.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 2, 2022

Bumps node-forge from 1.2.1 to 1.3.1.

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

  • RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

  • Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
  • HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • MEDIUM: Leniency in checking type octet.
    • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
    • CVE ID: CVE-2022-24773
    • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
    • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

live-dev999 and others added 30 commits November 17, 2021 13:52
@live-dev999
analysis: add codeql-analysis
ff93d3f
@live-dev999
Merge branch 'LiveDevTeam:master' into master
a16c91f
@live-dev999
Merge branch 'LiveDevTeam:master' into master
44eb6ae
@live-dev999
Merge branch 'LiveDevTeam:master' into master
5130b4a
@dependabot
build(deps): bump follow-redirects in /src/WebApps/pfr-app/c-gen
ddad692 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump follow-redirects in /src/WebApps/pfr-app/smalltalk
5fe8a3b 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump follow-redirects in /src/WebApps/pfr-app/pfr-app
e337ebb 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
Merge branch 'LiveDevTeam:master' into master
27d4161
@dependabot
build(deps): bump node-forge in /src/WebApps/pfr-app/pfr-app
09b818a 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump node-forge in /src/WebApps/pfr-app/c-gen
9e4b088 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
chore(issue-113): fix main solution for services
0f68230
@dependabot
build(deps): bump minimist in /src/WebApps/pfr-app/smalltalk
ca0a3ee 
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
build(deps): bump minimist from 1.2.5 to 1.2.6 in /src/WebApps/pfr-ap…
cf0455d 
…p/smalltalk

Merge pull request #14 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/smalltalk/minimist-1.2.6
@dependabot
build(deps): bump nanoid in /src/Services/auth/O2NextGen.Auth.Web
b4e5b0c 
Bumps [nanoid](https://github.com/ai/nanoid) from 3.1.30 to 3.3.2.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.1.30...3.3.2)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump minimist in /src/WebApps/pfr-app/pfr-app
ea3d455 
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
build(pr-deps): bump minimist from 1.2.5 to 1.2.6 in /src/WebApps/pfr…
5e9a890 
…-app/pfr-app

Merge pull request #13 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/minimist-1.2.6
@dependabot
build(deps): bump minimist in /src/WebApps/pfr-app/c-gen
e879293 
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump minimist in /src/Services/auth/O2NextGen.Auth.Web
2c9528f 
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
build(pr-deps): bump follow-redirects from 1.14.7 to 1.14.8 in /src/W…
8ecb697 
…ebApps/pfr-app/c-gen

Merge pull request #4 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/c-gen/follow-redirects-1.14.8
@live-dev999
build(pf-deps): bump follow-redirects from 1.14.7 to 1.14.8 in /src/W…
023d6cd 
…ebApps/pfr-app/smalltalk

Merge pull request #5 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/smalltalk/follow-redirects-1.14.8
@live-dev999
build(pr-deps): bump follow-redirects from 1.14.7 to 1.14.8 in /src/W…
c6fe4a8 
…ebApps/pfr-app/pfr-app

Merge pull request #6 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/follow-redirects-1.14.8
@live-dev999
build(pr-deps): bump node-forge from 1.2.1 to 1.3.0 in /src/WebApps/p…
8aec98a 
…fr-app/pfr-app

Merge pull request #8 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/node-forge-1.3.0
@dependabot
build(deps): bump follow-redirects in /src/WebApps/pfr-app/server
6f0c5a6 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.9.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.7...v1.14.9)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
build(pr-deps): bump node-forge from 1.2.1 to 1.3.0 in /src/WebApps/p…
31faad4 
…fr-app/c-gen

Merge pull request #9 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/c-gen/node-forge-1.3.0
@dependabot
build(deps): bump node-forge in /src/WebApps/pfr-app/smalltalk
2bf2b2e 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.1.
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.2.1...v1.3.1)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@live-dev999
build(pr-deps): bump nanoid from 3.1.30 to 3.3.2 in /src/Services/aut…
ba156d8 
…h/O2NextGen.Auth.Web

Merge pull request #15 from live-dev999/dependabot/npm_and_yarn/src/Services/auth/O2NextGen.Auth.Web/nanoid-3.3.2
@live-dev999
build(pr-deps): bump minimist from 1.2.5 to 1.2.6 in /src/WebApps/pfr…
e790642 
…-app/c-gen

Merge pull request #12 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/c-gen/minimist-1.2.6
@live-dev999
build(pr-deps): bump minimist from 1.2.5 to 1.2.6 in /src/Services/au…
1de2587 
…th/O2NextGen.Auth.Web

Merge pull request #11 from live-dev999/dependabot/npm_and_yarn/src/Services/auth/O2NextGen.Auth.Web/minimist-1.2.6
@live-dev999
build(pr-deps): bump follow-redirects from 1.14.7 to 1.14.9 in /src/W…
1ce2cc5 
…ebApps/pfr-app/server

Merge pull request #16 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/server/follow-redirects-1.14.9
@live-dev999
build(pr-deps): bump node-forge from 1.2.1 to 1.3.1 in /src/WebApps/p…
185dc0b 
…fr-app/smalltalk

Merge pull request #18 from live-dev999/dependabot/npm_and_yarn/src/WebApps/pfr-app/smalltalk/node-forge-1.3.1
Dzianis Prokharchyk and others added 2 commits April 2, 2022 14:27
Merge branch 'master' into dev
f41987d
@dependabot
build(deps): bump node-forge in /src/WebApps/pfr-app/pfr-app
8a1fba6 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.2.1 to 1.3.1.
- [Release notes](https://github.com/digitalbazaar/forge/releases)
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.2.1...v1.3.1)

---
updated-dependencies:
- dependency-name: node-forge
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 2, 2022
@live-dev999 live-dev999 changed the base branch from master to dev April 2, 2022 11:35
Dzianis Prokharchyk and others added 2 commits April 2, 2022 14:39
Merge remote-tracking branch 'upstream/dev' into dev
8d147b2 
# Conflicts:
#	src/Services/auth/O2NextGen.Auth.Web/package-lock.json
#	src/WebApps/pfr-app/pfr-app/yarn.lock
#	src/WebApps/pfr-app/smalltalk/yarn.lock
@live-dev999
Merge branch 'dev' into dependabot/npm_and_yarn/src/WebApps/pfr-app/p…
ede0043 
…fr-app/node-forge-1.3.1

# Conflicts:
#	src/WebApps/pfr-app/pfr-app/yarn.lock
@live-dev999 live-dev999 merged commit 6769878 into dev Apr 2, 2022
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 2, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/src/WebApps/pfr-app/pfr-app/node-forge-1.3.1 branch April 2, 2022 11:45
@live-dev999 live-dev999 added this to the v1.0.0.3 milestone Apr 2, 2022
@live-dev999 live-dev999 self-assigned this Apr 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlbusaOxyuranus AlbusaOxyuranus Awaiting requested review from AlbusaOxyuranus

Assignees

@live-dev999 live-dev999

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

v1.0.0.3

Development

Successfully merging this pull request may close these issues.

1 participant

@live-dev999